Back to skill

Security audit

Skill Publish To Market

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate skill-publishing helper, but it needs Review because it asks for powerful tokens and can create remote uploads, branches, and pull requests.

Install only if you intentionally want an agent to publish skills externally. Use a dedicated short-lived or fine-grained GitHub token where possible, avoid unnecessary workflow/private-repo access, confirm the exact platforms, files, repositories, branches, and PR/publication visibility before each run, and revoke tokens after publishing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (16)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The example invocations "retry anthropic" and "status" are overly generic and could be triggered during normal conversation or reused out of context by an agent, causing unintended publishing retries or status operations. In a skill that performs external side effects across multiple platforms, ambiguous triggers materially increase the risk of accidental action.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README advertises token collection, HTTP publishing, file uploads, and PR creation without prominently warning users that the skill will handle credentials and perform irreversible external actions. This can mislead users into granting high-privilege tokens or triggering network operations without understanding the security implications.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The activation phrases include broad terms like 'submit PR', 'deploy skill', and 'upload skill', which can match ordinary development requests unrelated to marketplace publishing. In an agent context, this can cause the skill to activate unexpectedly and steer the session into credential collection and external publishing flows the user did not explicitly request.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation directs users to create GitHub tokens with broad `repo` and `workflow` scopes, but does not warn that these are highly sensitive credentials or advise minimal handling practices. In a publishing skill that performs GitHub API operations, this increases the chance users expose overprivileged tokens to the agent, logs, shell history, or unintended destinations.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The recovery text asks the user for a new ClawHub token without any warning that the token is a secret that must be protected. Because this skill is designed to collect and use platform tokens, omission of safe credential-handling guidance materially raises the risk of accidental disclosure or unsafe reuse.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The playbook instructs collection and verification of GitHub and ClawHub tokens but does not clearly warn the user that the tokens will be transmitted to external services for validation. This can undermine informed consent and lead users to reveal sensitive credentials without understanding where they are being sent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
These instructions direct the skill to upload skill files and create PRs across multiple third-party platforms without an explicit warning that local content will leave the current environment. That creates a real data-exfiltration risk if users publish sensitive, proprietary, or unintended files under the assumption the action is local or internal.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The status-check workflow sends bearer tokens and publish metadata to external APIs but does not explicitly inform the user of that transmission. Even though the endpoints are legitimate, using credentials against external services without a clear warning reduces transparency and can expose sensitive repository or publishing information unexpectedly.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The template instructs users to send bearer tokens and local skill files to third-party services, but it does not explicitly warn that credentials and repository contents are being transmitted off-host. In a publishing skill, this is expected functionality, but the lack of disclosure and consent language increases the risk of accidental token misuse, oversharing, or publishing sensitive files.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
These templates perform state-changing GitHub operations including forking repositories, creating branches, uploading files, and opening pull requests, yet they do not clearly disclose that remote resources will be modified. Because this skill automates publication, the behavior is aligned with its purpose, but users still need explicit notice before external mutations occur.

External Transmission

Medium
Category
Data Exfiltration
Content
### Verify Token
```bash
curl -s \
  -H "Authorization: Bearer {TOKEN}" \
  -H "Accept: application/json" \
  https://clawhub.ai/api/v1/whoami
Confidence
88% confidence
Finding
curl -s \ -H "Authorization: Bearer {TOKEN}" \ -H "Accept: application/json" \ https://clawhub.ai/api/v1/whoami ``` Expected: `{"handle":"username",...}` ### Publish Skill ```bash curl -s -X PO

External Transmission

Medium
Category
Data Exfiltration
Content
curl -s \
  -H "Authorization: Bearer {TOKEN}" \
  -H "Accept: application/vnd.github+json" \
  https://api.github.com/user
```
Expected: `{"login":"username",...}`
Confidence
87% confidence
Finding
https://api.github.com/

External Transmission

Medium
Category
Data Exfiltration
Content
curl -s -X POST \
  -H "Authorization: Bearer {TOKEN}" \
  -H "Accept: application/vnd.github+json" \
  https://api.github.com/repos/{OWNER}/{REPO}/forks \
  -d '{}'
```
Wait 3 seconds after forking.
Confidence
93% confidence
Finding
https://api.github.com/

External Transmission

Medium
Category
Data Exfiltration
Content
curl -s -X POST \
  -H "Authorization: Bearer {TOKEN}" \
  -H "Accept: application/vnd.github+json" \
  https://api.github.com/repos/{USERNAME}/{REPO}/git/refs \
  -d '{"ref":"refs/heads/{BRANCH}","sha":"{BASE_SHA}"}'
```
Confidence
91% confidence
Finding
https://api.github.com/

External Transmission

Medium
Category
Data Exfiltration
Content
curl -s -X PUT \
  -H "Authorization: Bearer {TOKEN}" \
  -H "Accept: application/vnd.github+json" \
  "https://api.github.com/repos/{USERNAME}/{REPO}/contents/{TARGET_PATH}" \
  -d '{"message":"Add {FILE} for skill: {SKILL_NAME}","content":"'"$CONTENT"'","branch":"{BRANCH}"}'
```
Confidence
95% confidence
Finding
https://api.github.com/

External Transmission

Medium
Category
Data Exfiltration
Content
curl -s -X POST \
  -H "Authorization: Bearer {TOKEN}" \
  -H "Accept: application/vnd.github+json" \
  https://api.github.com/repos/{OWNER}/{REPO}/pulls \
  -d '{"title":"Add skill: {SKILL_NAME}","head":"{USERNAME}:{BRANCH}","base":"{DEFAULT_BRANCH}","body":"Adding skill **{SKILL_NAME}** via skill-publish-to-market.\n\nFiles:\n- SKILL.md\n- references/templates.md\n- references/playbooks.md\n- references/fallbacks.md\n- references/runbook.md"}'
```
Extract: `.html_url`, `.number`
Confidence
92% confidence
Finding
https://api.github.com/

VirusTotal

44/44 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.